Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:16 AM
Connect Directly

Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security

IDS/IPS, firewalls, Web application firewalls are among at-risk devices for technique that lets attackers sneak inside

CERT-Finland has reported a newly discovered technique that evades network and security devices -- namely IDS/IPS systems, but it could also work against network firewalls and Web application firewalls -- and lets attackers sneak in and conduct targeted attacks against an enterprise network.

The threat, which was discovered by researchers at Stonesoft's Helsinki labs, is based on vulnerabilities inherent in several vendors' IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly.

Jussi Eronen, head of vulnerability coordination at CERT-FI, which first issued an alert on the threat on Oct. 4, will update its vulnerability alert on the threat today.

Stonesoft says the attack method takes advantage of how TCP/IP handles packets. "It takes advantage of the fact that the TCP protocol allows conservative creation of packets, but liberal receiving of packets," says Matt McKinley, director of U.S. product management at Stonesoft. "There are predictable, limited ways you can evade an IPS ... packets can only be created in a few ways. We came up with a way to create packets that don't conform to rules and confuse IPSes in ways that conventional methods cannot do."

McKinley says it lets the attacker work his way inside the network without being noticed. "It's a way to knock at the door until something lets you in because there's no way to detect it. It continues to knock until something lets it in," he says. "When the packet then makes it to the host, the host is designed to look only at the things it's interested in and ignore all else ... it's end to end delivery [of a malicious payload]."

McKinley says the attack could also work against other network security devices, including firewalls. It would likely be used to spread a network worm akin to the Stuxnet attack or some other targeted attack, he says. "It's a way to deliver [a worm] into a network and cause any kind of harm you want," McKinley says.

How difficult would it be to pull off this attack? "That's the creepy part. The impact of this is fairly simple. We feel it's well within the means of motivated hackers to do it. This is not particularly complicated," McKinley says.

ICSA Labs has verified the attack and is also sounding the alarm about the risk to enterprises. Jack Walsh, intrusion detection and prevention program manager at ICSA Labs, says it could take some time for network security vendors to add protection for this attack to their products, thus leaving enterprises at risk until those patches become available. IDS/IPSes, firewalls, next-generation firewalls, and Web application firewalls are most at risk of this evasion technique, he says.

Walsh says the evasion technique itself basically gives attackers a foot in the door to do their dirty work, and it can affect more than just TCP/IP protocols. "It's only after the evasion is coupled with an attack that they exploit some vulnerability," Walsh says. "The weakness that the evasions take advantage of are in the protocols, but the affected protocols aren't limited to TCP/IP. Some evasions affect higher layer application protocols as well."

And protocols aren't the only thing vulnerable to this evasion technique, he says. "The standards defining the protocols suggest a certain amount of permissiveness between sending and receiving systems to ease interoperability and communication. Our need for systems to be interoperable and our need for communication between systems to be as easy as possible allow these evasions to work," Walsh says.

Once inside, attackers can compromise data and steal information from enterprises, he says. And it's even possible they have been using this method already, unbeknown to victim organizations. "Given that these evasions have always existed, criminals could be using them already. If they are in use, then there would be little evidence of it," Walsh says.

Some vendors might need to rearchitect their products to fix this, while others might have to patch or build in protections, Walsh says.

Meanwhile, CERT-Finland's Eronen wouldn't provide details of the products known to be affected thus far or their weaknesses that allow for the attack since coordination among the vendors is still under way.

"If [targeted] networks have systems that are for some reason left unpatched -- legacy systems, no supported patches available, compliance does not allow for any system modification, just to name a few possible reasons -- and IDS/IPS systems are employed as virtual patches, then these systems are particularly vulnerable to attacks using evasion techniques," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-20
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifi...
PUBLISHED: 2019-08-20
FlightPath 4.8.3 has XSS in the Content, Edit urgent message, and Users sections of the Admin Console. This could lead to cookie stealing and other malicious actions.
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.